-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-01:24                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          SSH1 implementations may allow remote system, data compromise

Category:       core/ports
Module:         openssh, ssh
Announced:      2001-02-12
Credits:	Michal Zalewski <lcamtuf@razor.bindview.com> (Vulnerability 1)
                Core-SDI (http://www.core-sdi.com) (Vulnerability 2)
Affects:        FreeBSD 4.x, 4.2-STABLE prior to the correction date
                Ports collection prior to the correction date.
Corrected:      OpenSSH [FreeBSD 4.x base system]:
                   2000-12-05 (Vulnerability 1)
                   2001-02-11 (Vulnerability 2)
                OpenSSH [ports]:
                   2001-02-09 (Vulnerability 1)
                   2001-02-11 (Vulnerability 2)
                ssh [ports]:
                   2001-02-09 (Vulnerability 1)
                   2001-02-09 (Vulnerability 2)
Vendor status:  Patches released.
FreeBSD only:   NO

I.   Background

OpenSSH is an implementation of the SSH1 and SSH2 secure shell
protocols for providing encrypted and authenticated network access,
which is available free for unrestricted use.

An SSH1 client/server (ssh) from ssh.com is included in the ports
collection.  This software is not available free of charge for all
uses, and the FreeBSD Security Officer does not recommend its use.

II.  Problem Description

There are two flaws in the SSH1 protocol as implemented by OpenSSH and
ssh.

Vulnerability 1:

  An integer overflow may allow arbitrary remote users to obtain root
  permissions on the server running sshd.  This is due to a coding
  mistake in code intended to work around a protocol flaw in the SSH1
  protocol.  This vulnerability was corrected in OpenSSH 2.3.0, which
  was committed to FreeBSD 4.2-STABLE on 2000-12-05.

Vulnerability 2;

  Remote attackers who can observe the encrypted contents of a user's
  SSH1 session, and who have the ability to mount large numbers of
  connections fo the SSH1 server may be able to break the transient
  server key used by the server to negotiate encryption parameters for
  the session, and from there can decrypt the entire contents of the
  snooped connection.  The transient key has a lifetime of only one
  hour by default, but all snooped SSH1 sessions captured within this
  timeframe may be broken if the attack is successful.

  This attack is mitigated by the requirement to initiate large
  numbers of SSH1 protocol connections to the server during the
  lifetime of the key.  On average a sustained connection rate of
  around 400 connections and SSH1 protocol handshakes must be carried
  out per second to have a high chance of succeeding within the 1 hour
  lifetime of the server key.  OpenSSH contains rate-limiting code
  which will limit the number of outstanding connections to a fraction
  of this number in the default configuration, and computational and
  network limitations may reduce this number still further.
  Therefore, though the potential impact of this flaw is great, it is
  made very difficult to exploit in practice.  However, note that even
  though the chances of success are reduced, the vulnerability is not
  eliminated.

OpenSSH is installed if you chose to install the 'crypto' distribution
at install-time or when compiling from source, and is installed and
enabled by default as of FreeBSD 4.1.1-RELEASE.  By default SSH1
protocol support is enabled.

If SSH1 protocol support has been disabled in OpenSSH, it is not
vulnerable to these attacks.  They do not affect implementations of
the SSH2 protocol, such as OpenSSH run in SSH2-only mode.

Versions of the OpenSSH port prior to openssh-2.2.0_2, and versions
of the ssh port prior to ssh-1.2.27_3 are vulnerable to these attacks.

III. Impact

Arbitrary remote users may be able to execute arbitrary code as root
on an SSH1 server accepting connections via the SSH1 protocol.

Remote users who can snoop the encrypted contents of SSH1 sessions
belonging to other users, and who can mount a very high rate of
connections to the server may be able to mount an attack leading to
the ability to decrypt these sessions.  This attack may disclose
account password details as well as other sensitive data.

IV.  Workaround

If you are running sshd, disable the use of the SSH1 protocol in
OpenSSH.  SSH1 contains inherent protocol deficiencies and is not
recommended for use in high-security environments.  Note that some
third-party SSH clients are not capable of using the SSH2 protocol,
however the OpenSSH client (version 2.1 and later) included in FreeBSD
is SSH2-capable.

To disable SSH1, add the following line to the /etc/ssh/sshd_config
file (/usr/local/etc/sshd_config for the OpenSSH port):

Protocol 2

and remove any other "Protocol" directives from that file.

Execute the following command as root:

# kill -HUP `cat /var/run/sshd.pid`

This will cause the parent process to reread its configuration file,
and should not interfere with existing SSH sessions.

V.   Solution

- --[OpenSSH - base system]-----

One of the following:

1) Upgrade to FreeBSD 4.2-STABLE after the correction date.  Note that
these versions of FreeBSD contain a newer version of OpenSSH (version
2.3.0) than was in 4.2-RELEASE (version 2.2.0).

2) Download the patch and detached PGP signature from the following
location:

The following patch applies to FreeBSD 4.2-RELEASE.

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-release.patch.asc

The folllowing patch applies to FreeBSD 4.2-STABLE which is running
OpenSSH 2.3.0 (4.2-STABLE dated after 2000-12-05)

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-stable.patch
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:24/sshd-4.2-stable.patch.asc

Verify the detached signature using your PGP utility.

Issue the following commands as root:

# cd /usr/src/crypto/openssh
# patch -p < /path/to/patch
# cd /usr/src/secure/lib/libssh
# make all
# cd /usr/src/secure/usr.bin/ssh-agent
# make all install
# cd /usr/src/secure/usr.sbin/sshd
# make all install

Finally, if sshd is already running then kill and restart the sshd
daemon: perform the following command as root:

# kill -KILL `cat /var/run/sshd.pid` && /usr/sbin/sshd

This will not affect sessions in progress.

- --[OpenSSH - port]-----

Use one of the following options to upgrade the OpenSSH software, then
kill and restart the sshd daemon if it is already running.  This will
not affect sessions in progress.

To kill and restart the sshd daemon, perform the following command as
root:

# kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd

1) Upgrade your entire ports collection and rebuild the OpenSSH port.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/openssh-2.2.0_2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/openssh-2.2.0_2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/openssh-2.2.0_2.tgz

NOTE: It may be several days before updated packages are available.

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
 
3) download a new port skeleton for the OpenSSH port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz

- --[ssh - port]-----

Use one of the following options to upgrade the ssh software, then
kill and restart the sshd daemon if it is already running.  This will
not affect sessions in progress.

To kill and restart the sshd daemon, perform the following command as
root:

# kill -KILL `cat /var/run/sshd.pid` && /usr/local/sbin/sshd

1) Upgrade your entire ports collection and rebuild the ssh port.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/security/ssh-1.2.27_3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ssh-1.2.27_3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/ssh-1.2.27_3.tgz

NOTE: It may be several days before updated packages are available.

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
 
3) download a new port skeleton for the OpenSSH port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBOoiAylUuHi5z0oilAQEoVgP/Qc5UXjRnR3byHZfQyM4VyuwCWAWeAaD7
HPjlhLTiOb0HUqsVhiraIX5Mgi5ReySj2wREd4EKW9pEKiXfcXCWItivG8PrV/P8
NHEo5B393r1G8ovtkt3fu0bQ7RhOrxOeHRn5mxbmk8pIrRg7oxeZ02ygJiCV8LqT
hoOxMmU4FYQ=
=REEI
-----END PGP SIGNATURE-----
